Query Refused problem
Sven Eschenberg
sven at whgl.uni-frankfurt.de
Thu Oct 1 17:10:55 UTC 2009
Funny enough, I did not have any allow-query at all, but adding
allow-query {any;} did indeed change the behavior. But allow-query-cache
obviously defaults to localhost, localnets and was triggering the
behavior that confused me.
Inbetween I overhauled the config, setting all the options explicitly
where needed, instead of building on default behavior and everything
works as expected now. Lessen learned: Ignore defaults, always set
things as YOU want them to be :-).
Thanks for your reply though.
Regards
-Sven
Matus UHLAR - fantomas schrieb:
> On 30.09.09 15:59, Sven Eschenberg wrote:
>> When I had no allow-query statement at all in my config, everything
>> worked find (includign recursion) for all clients, that were in subnets
>> directly attached to the server. The external view (authoriative, non
>> recursive) did work for every client as supposed to.
>> Now a client on a not directly attached subnet, with it's own view,
>> could not resolve anything, except local zones on the server. (Though
>> recursion was turned on for the view).
>> External view's clients could nto recurse, though recursion was turned
>> on, obviously to realyl recurse I'd need an allow-query statement.
>>
>> Adding an allow-query statement to the general config, limitied to the
>> campus network made all local views work, but with the result, that no
>> client matching the external view could looks up the authoriative zones.
>>
>> Now, I am wondering if I did set uop everything right afterall, here's
>> what I did do:
>>
>> External view, no recursion, allow-query {any;}
>> Not directly attached client with internal view: match on client's ip,
>> allow recursion, allow query for the client's ip.
>> all other internal views, matched by locally attached netowrks, no
>> allow-query statement, allow recursion.
>>
>> This seems to work.
>>
>> I am wondering: Would it be harmfull to allow queries by any host
>> (globally) as long as external clients (in their view) are not allowed
>> any recursion? Would that be more feasible?
>
> allow-query { any; }; is default. Do you have any other allows's ?
>
> the first error message indicated that you didn't allow query-cache or recursion
> for some clients. Apparently you cloned a view but forget to allow either
> one in the new view...
>
More information about the bind-users
mailing list